Eric, > I don't believe that this claim reflects the consensus of the security > community.
As far as I have understood, the consensus is that there are bad (insecure) ECs (those from NIST which seem to be intentionally weakened / broken by various tricks) and good (secure) ECs (e.g. Ed25519). Unfortunately, the bad ones are much more used than the good ones, probably because the latter are younger and possibly not implemented in every crypto library (yet). I should have mentioned that the reason for my post was that I am trying to configure my web server as secure as possible. Given that, it seems to be very complicated to get information about which ECs are secure and which are not, and it seems overly complicated or even impossible to configure libraries / web servers / [your application here] to offer ECDHE, but to offer only the secure curves. So I thought it would be a good idea to disable ECs completely, but then FF wouldn't be able to connect to that website any more. > In any case, as Kurt Roeckx observes, Firefox currently supports the new > non-NIST CFRG curves. Yes, and this is good news I didn't know about yet. I now only can hope that I will be able to configure my web server to offer ECDHE, but only the secure curves. The question remains why FF doesn't offer ciphers like dhe_rsa_aes_256_gcm_sha384. That would indeed allow administrators to turn off EC on their web servers completely. They then could easily configure a very secure web server without thinking about good and bad EC curves (which might be beyond the average part time administrator's knowledge anyway). Binarus _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

